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(54) Data access control apparatus for limiting data 

(57) This invention provides a data access control 
apparatus arranged to automatically set access right 
information limiting data access, in accordance with a 
user attribute when a user accesses a database. In set- 
ting, for a plurality of users, access right information cor- 
responding to each user, the load on an operator can be 
reduced, and access right information setting errors can 
be prevented. An automatic setting unit (M2) reads out 
information from a login management information file 
(LMF) and an employee information file (DB) on the 
basis of definition information of a definition files (LLF, 
FGF. RGF) to automatically generate a user access 
right management file (UMF) which stores a login ID, an 
item access right, and a record access right group code 
for each user. When a login ID is input in accessing the 
employee information file (DB), a setting controller (M1) 
refers to the management file (UMF) to determine a 
user group to which the user belongs and an access 
enabled/disabled state of the data on the basis of the 
access right made to correspond to this user group. 



access in accordance with user attribute 
FIG.7 




CM 
CD 

1^ 
CM 

o> 

O 

Q. 
LU 



Tiest Available CopY 




EP0 927 



Description 

[0001] The present invention relates to a data access 
control apparatus for limiting data access in accordance 
with user attributes. s 
[0002] In a conventional data access control appara- 
tus for accessing a database in accordance with a rela- 
tional database management system (RDBMS), access 
right information is set using a database language 
"SQL", and the database access is controlled in accord- jo 
ance with the RDBMS functions. As another method, 
the access right information is managed by an upper 
application layer to control access to the database. 
[0003] In setting or changing an access right using the 
database language "SQL", descriptions based on the 15 
SQL are required to request the data item name, file 
name, and retrieval condition corresponding to 
"SELECT", "FROM", and "WHERE" in the data access 
SQL statement (SELECT statement). The more the 
database inquiry conditions are complicated, the larger 20 
the work amount becomes. Sophisticated database 
knowledge and SQL knowledge are required. It is very 
difficult for a regular operator to set/change the access 
right using the SQL At present, the regular operator 
requests a database manager to set/change the access 25 
right. 

[0004] In the method of managing the access right 
information by the upper application layer, complicated 
logic must be installed in an application itself. It is very 
difficult for even a specialist having advanced knowl- 30 
edge to set/change the access right information. When 
the database is accessed using another tool, security of 
the database may be impaired. This method is not suit- 
able for an open environment in which a variety of soft- 
ware applications are present. 35 
[0005] The present applicant has proposed a tech- 
nique (Japanese Patent Application No. 9-149913 enti- 
tled "Data Access Control Apparatus and its Program 
Recording Medium") which eliminates descriptions 
based on settings using the database language in set- 40 
ting an access right in accordance with a user attribute 
to allow a regular operator having no special knowledge 
to easily set or change an access right, and which does 
not describe an access right in an application itself to 
maintain security in an open environment by access 45 
control upon analyzing access right information individ- 
ually managed. 

[0006] It is an object of the present invention to pro- 
vide a data access control apparatus which can reduce 
an operator's load and prevent setting errors of access so 
right information in setting, in units of users, access right 
information corresponding to each user. 
[0007] The feature of the present invention is as fol- 
lows. 

[0008] A data access control apparatus for limiting 55 
access to data on the basis of a user attribute in access- 
ing the data in a database having a plurality of records 
each constituted by a plurality of data items comprises: 
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user information storage means for storing at least a 
data item representing identification information unique 
to a user and a data item representing a user attribute in 
correspondence with a plurality of users; definition 
means for defining a user group corresponding to con- 
tents of the data item representing the user attribute; 
generation means for generating user group information 
representing that a user group is made to correspond to 
each user; access right information storage means for 
storing access right information in correspondence with 
the user group, the access right information represent- 
ing whether access to the data in the database is 
allowed; and access control means for, when an arbi- 
trary user is designated in accessing the database, 
determining a user group, to which the arbitrary user 
belongs, with reference to the user group information 
generated by the generation means, and determining 
on the basis of the access right information made to cor- 
respond to the determined user group whether access 
to the data in the database is allowed. 
[0009] According to the present invention, in setting, 
in units of users, access right information corresponding 
to each user, the operator's load can be reduced, and 
setting errors of the access right information can be pre- 
vented. A regular operator having no special knowledge 
can automatically set access right information without 
performing settings. Therefore, security of the database 
can be maintained even in an open environment. 
[001 0] This summary of the invention does not neces- 
sarily describe all necessary features so that the inven- 
tion may also be a sub-combination of these described 
features. 

[0011] The invention can be more fully under stood 
from the following detailed description when taken in 
conjunction with the accompanying drawings, in which: 

FIG. 1 is a block diagram showing the overall 
arrangement of a data access control apparatus; 
FIG. 2 is a view showing name files in a memory 
unit 3; 

FIGS. 3A1 and 3A2 are views showing the data 
structure of an item access right automatic genera- 
tion definition file FGF and its example, FIGS. 3B1 
and 3B2 are views showing the data structure of a 
record access right automatic generation definition 
file RGF and its example, and FIGS. 3C1 and 3C2 
are views showing the data structure of a login 
management information linking definition file LLF 
and its example; 

FIG. 4 is a view showing the structure of a login 
management information file LMF; 
FIG. 5 is a view showing the structure of an 
employee information file DB; 
FIG. 6A is a view showing the structure of a user 
access right management file UMF of an embodi- 
ment, and FIGS. 6B and 6C are views showing 
application examples as the modifications of the 
user access right management file UMF; 
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FIG. 7 is a view showing automatic generation of 

Kthe user access right management file UMF on the 
basis of the employee information file DB, the item 
access right automatic generation definition file 
FGF, the record access right automatic generation 
definition file RGF, the login management informa- 
tion file LMF, and the login management informa- 
tion linking definition file LLF; 

FIG. 8 is a flow chart showing the outline of the 
overall operation in setting an access right; 
FIG. 9 is a flow chart for explaining step A1 (item 
access right setting processing) in FIG. 8 in detail; 
FIG. 10 is a flow chart for explaining step A2 (record 
access right setting processing) in FIG. 8 in detail; 
FIG. 1 1 is a flow chart for explaining step A3 (user 
access right group automatic setting processing) in 
FIG. 8 in detail; 

FIG. 12 is a flow chart for explaining step A4 
(access right setting processing) in FIG. 8 in detail; 
FIG. 13 is a flow chart for explaining step E1 
(access right optimization processing) in FIG. 12 in 
detail; 

FIG. 14 is a flow chart showing access right control 
processing; 

FIG. 15 is a view showing an example in which an 
item access right is set in a table form; 
FIG. 16 is a view showing an example in which a 
record access right is set in a table form; 
FIG. 17A is a view showing the data structure of an 
item access right management file FMF, and FIG. 
1 7B is a view showing the data structure of a record 
access right management file RMF; 
FIGS. 18A through 18C are views showing the 
structures of the user access right management file 
UMF, an optimization access right management file 
OPF, and a user DB access right file UAF. respec- 
tively; 

FIG. 19 is a view showing the contents retrieved, 
displayed, and output from an employee informa- 
tion file in accordance with its set contents when 
only an item access right is set for a regular 
employee; 

FIG. 20 is a view showing the contents retrieved, 
displayed, and output from an employee informa- 
tion file using a user as the general affairs depart- 
ment manager is given as a condition; and 
FIG. 21 is a view showing the contents retrieved, 
displayed, and output from an employee informa- 
tion file when a regular employee belonging to the 
general affairs department is given as a condition. 

[001 2] An embodiment of the present invention will be 
described with reference to FIGS. 1 through 21. 
[0013] FIG. 1 is a block diagram showing the overall 
arrangement of a data access control apparatus. 
[0014] A CPU 1 is a central processing unit for control- 
ling the overall operation of the data access control 
apparatus in accordance with a variety of programs 



loaded in a RAM 2. A memory unit 3 has a storage 
medium 4 which stores an operating system, a variety 
of application programs, a database, character font 
data, and the like in advance, and a drive system for the 

5 storage medium 4. The storage medium 4 may be a 
fixed or detachable medium and can be constituted by a 
magnetic or optical storage medium (e.g., a floppy disk, 
hard disk, optical disk, or RAM card), or a semiconduc- 
tor memory. The programs and data in the storage 

w medium 4 can be loaded in the RAM 2 under the control 
of the CPU 1 , as needed. The CPU 1 receives a pro- 
gram and data transmitted from another device through 
a communication line or channel and stores them in the 
storage medium 4, or uses a program or data stored in 

75 a storage medium in another device via a communica- 
tion line or channel. 

[0015] The CPU 1 is connected via a bus line to an 
input unit 5, a display unit 6. and a printer 7, all of which 
serve as input/output peripheral devices. The CPU 1 
20 controls these devices in accordance with an input/out- 
put program. 

[0016] The input unit 5 comprises a keyboard for 
inputting character string data and various commands, 
or a pointing device such as a mouse. The display unit 6 

25 comprises a full-color display liquid crystal display unit, 
CRT display unit, or plasma display unit. The printer 7 is 
a full-color printer such as a non-impact printer, (e.g., a 
thermal transfer or ink-jet printer) or an impact printer. 
[001 7] FIG. 2 shows the main contents of the memory 

30 unit 3. A database DB is, for example, a relational office 
processing database which stores information neces- 
sary for business operations of enterprises. This data- 
base contains an employee information file, a personnel 
book file, a salesperson sales management file.-and the 

35 like. The database DB is exemplified as the one contain- 
ing an employee information file. The employee infor- 
mation file DB is accessed by a relational database 
management system RDBMS. More specifically, when 
a user requests data matching a predetermined condi- 

40 tion. an application program AP receives this retrieval 
request and generates a SQL statement in accordance 
with this request. The program AP sends the SQL state- 
ment to the relational database management system 
RDBMS. Upon reception of the SQL statement, the 

45 relational database management system RDBMS ana- 
lyzes this SQL statement, accesses the employee infor- 
mation file DB, and transfers the retrieved data to the 
application program AP. An access right setting table 
form FM represents table form information to be dis- 

50 played and output in setting/changing an access right of 
the employee information file DB in accordance with a 
user attribute in units of user groups. A regular business 
operator sets/changes an access right in correspond- 
ence with a user group in this table. As files for set- 

55 ting/changing the access right of the employee 
information file DB in units of user groups, the memory 
unit 3 stores an item access right automatic generation 
definition file FGF, a record access right automatic gen- 
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eration definition file RGF, a login management informa- 
tion file LMF, a login management information linking 
definition file LLF, a user access right management file 
UMF. an item access right management file FMF, a 
record access right management file RMF, an optimiza- 
tion access right management file OPF, and a user DB 
access right file UAF. 

[0018] The item access right automatic generation 
definition file FGF defines as an item access right group 
information for classifying users in accordance with a 
user attribute such as a post in an enterprise. FIGS. 3A1 
and 3A2 are views for explaining the item access right 
automatic generation definition file FGF in which FIG. 
3A1 shows its data structure, and FIG. 3A2 shows its 
example. In this case, in order to classify the users into 
groups in accordance with the contents of data items 
represented by an item name "Field = post" of the 
employee information file (DB) (see FIG. 5), "depart- 
ment manager", "section manager", "personnel depart- 
ment manager", "regular employee", ... are defined in 

correspondence with group codes A, B, C, D The 

record access right automatic generation definition file 
RGF defines as a record access right group information 
for classifying the users into groups in accordance with 
a user attribute, e.g., the enterprise departments to 
which the users belong. FIGS. 3B1 and 3B2 are views 
for explaining the record access right automatic genera- 
tion definition file RGF, in which FIG. 3B1 shows its data 
structure, and FIG. 3B2 shows its example. In this case, 
in order to classify the users into groups in accordance 
with the contents of data items represented by an item 
name "Field = department" of the employee information 
file DB, "personnel department", "general affairs depart- 
ment" "sales department", ... are defined in correspond- 
ence with group codes 1,2,3 

[001 9] The login management information linking def- 
inition file LLF links the employee information file (DB) 
with the login management information file LMF (to be 
described later). FIGS. 3C1 and 3C2 are views for 
explaining the login management information linking 
definition file LLF, in which FIG. 3C1 shows its data 
structure and FIG. 3C2 shows its example. In this case, 
"Login = item name" represents the item name "user 
No." of the login management information file LMF (see 
FIG. 4), and "File" defines the database name "person- 
nel" and the file name "employee information". "Field" 
also defines the item name "employee No." of the 
employee information file (DB). This allows to retrieve 
the item "employee No." of the employee information file 
(DB) using the item "user No." of the login management 
information file LMF as a retrieval key. As shown in FIG. 
4, the login management information file LMF defines 
"login ID", "user No.", "password", "home directory", and 
the like for each user. A login ID and a password are 
input in file access. Note that the home directory is per- 
sonal information. As shown in FIG. 5, one record of the 
employee information file (DB) has items of "employee 
No.", "name", "office location", "department", "section", 



"post", "qualification", "efficiency rating", "salary" 

"application for personnel changes". 

[0020] As shown in FIG. 6A, the user access right 

management file UMF stores and manages "login ID", 

5 "item access right group code", and "record access right 
group code" in units of users. The user access right 
management file UMF is automatically generated on the 
basis of the contents of the employee information file 
(DB), the item access right automatic generation defini- 

10 tion file FGF, the record access right automatic genera- 
tion file RGF the login management information file 
LMF, and the login management information linking def- 
inition file LLF. FIG. 7 illustrates generation of this user 
access right management file UMF. When a user 

75 access right group automatic setting unit M2 is activated 
by a user access right setting controller M1, the user 
access right group automatic setting unit M2 reads out 
information from the login management information file 
LMF and the employee information file (DB) on the 

20 basis of definition information from the login manage- 
ment information linking definition file LLF, the item 
access right automatic generation definition file FGF, 
and the record access right automatic generation defini- 
tion file RGF to generate the user access right manage- 
rs ment file UMF. Upon a change in contents of the 
employee information file (DB), the user access right 
setting controller M1 activates the user access right 
group automatic setting unit M2 to update the contents 
of the user access right management file UMF in 

30 accordance with the change in the employee informa- 
tion file (DB), thereby maintaining consistency between 
the employee information file and the user access right 
management file UMF. When an arbitrary login ID and 
password are input in accessing the employee informa- 

35 tion file, the application execution control refers to the 
user DB access right file UAF to determine a user group 
to which the user belongs. At the same time, the appli- 
cation execution control determines on the basis of the 
access right made to correspond to this user group 

40 whether access to an item and record is allowed. The 
application execution control performs access control 
based on the above determination. The item access 
right management file FMF stores and manages an 
item name permitted for access in units of item access 

45 right groups. The record access right management file 
RMF stores and manages an access condition for each 
group in accordance with a combination of an item 
access right and a record access right. The optimization 
access right management file OPF stores and manages 

so an access right of the contents of the record access 
right management file RMF, which is optimized under a 
predetermined condition, in order to improve access 
efficiency. The user DB access right file UAF stores and 
manages a user access in accordance with the contents 

55 of the user access right management file UMF and the 
optimization access right management file OPF 
[0021 ] The operation of the data access control appa- 
ratus will be described with reference to flow charts in 
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FIGS. 8 to 14. The programs for realizing the functions 
'^fc described in these flow charts are stored in the memory 
unit 3 in the form of program codes readable by the CPU 
1 . The contents of the memory unit 3 are loaded in the 
RAM 2. 

[0022] FIG. 8 is a flow chart showing the overall oper- 
ation in setting an access right in the data access con- 
trol apparatus. 

[0023] When operation of setting a database access 
right is started; item access right setting processing is 
performed in step A1 of FIG. 8. 

[0024] FIG. 9 is a flow chart showing this setting 
processing. Predetermined table form information is 
called from the access right setting table form FM (step 
B1). As shown in FIG. 15. the table form has a file name 
column outside the table. Group columns are arranged 
as the column items in the table, and file data item col- 
umns are arranged as row items. A list of file names 
present in the database is displayed, and the user des- 
ignates an arbitrary file from the list as an access target. 
When the file name as the access target is selected 
(step B2), the selected file name is displayed in the file 
column (step B3). Assume an employee information file 
is selected and designated. The file name "employee 
information" is displayed in the file name column. The 
names of data items present in the file selected as the 
access target are displayed in the data item columns in 
the table together with the table form (step B4). The 
group codes and their item values which are defined in 
the item access right automatic generation definition file 
FGF are read out and displayed in the group columns in 
the table (step B5). In this case, as shown in FIG. 15, "A, 
department manager", "B, section manager", "C, per- 
sonnel staff", and "D, regular employee" are classified, 
arranged, and displayed in the group columns of the 
table. 

[0025] As described above, the data item names of 
the access target file are displayed as the row caption of 
the table. The codes representing the user groups and 
the item contents are displayed together with the table 
form as the column caption of the table. Access right 
information of each item is input and designated by 
describing a predetermined symbol in correspondence 
with each user group at each intersection of the matrix 
consisting of the row and column captions (step B6). In 
this case, when item access is permitted or allowed, a 
circle is written in the intersection area. When item 
access is inhibited, the intersection area is kept 
blanked. Symbols are sequentially written in the inter- 
section areas by sequentially updating the row and col- 
umn points. All information is filled in the table, the set 
information is transferred to and stored and managed in 
the item access right management file FMF (step B7). 
[0026] FIG. 1 7A shows the data structure of the item 
access right management file FMF. The data is stored in 
the form of "FILE" = file name, item access right group 
code; permitted item name; permitted item name; per- 
mitted item name; .... When access to all the items is 



permitted, the permitted item names following the item 
access right group codes are omitted. When no item 
access right group code is present, no access right is 
present in the corresponding file. In this manner, when 

5 the item access rights are set in units of user groups, A 
(department manager) and C (personnel staff) are 
allowed to access to all the items of the employee infor- 
mation file, while B (section manager) is not allowed to 
access the items of "reward and punishment" and 

10 "application for personnel changes". B is allowed to 
access the remaining items. The number of items inhib- 
ited to access increases for D (regular employee). 
[0027] The flow advances to step A2 in FIG. 8 to per- 
form record access right setting processing. 

15 [0028] FIG. 10 is a flow chart showing this setting 
processing. Predetermined table form information is 
called from the access right setting table form FM (step 
C1). In this case, the table form has item access right 
group columns as the column items in the table, and 

20 record access right group columns as the row columns. 
A list of file names of various files present in the data- 
base is displayed, and an arbitrary file is designated 
from this list as an access target. When the file name is 
selected (step C2). the selected file name is displayed in 

25 the file name column (step C3). The user group codes 
and item contents which are defined in the item access 
right automatic generation definition file FQF are read 
out and displayed in the item access right group col-, 
umns in the table (step C4). In this case, , as shown in : 

30 FIG. 16. "A, department manager" "D, regular-, 

employee" are classified, arranged, and displayed in the 
group columns. The user group codes and-item con-., 
tents which are defined in the record access right auto- 
matic generation definition file RGF are read out and 

35 displayed in the record access right group columns in 
the table (step C5). In this case, "1 , personnel depart- 
ment". "2, general affairs department", and "3, sales 
department" are classified, arranged, and displayed in 
the corresponding group columns, as shown in FIG. 16. 

40 [0029] As described above, the item access right 
group information is displayed as the column caption of 
the table, while the record access right group informa- 
tion is displayed as the column caption of the table. A 
record access condition is written at an intersection of a 

45 matrix consisting of the row and column captions (step 
C6). In this case, each intersection area is divided into 
two parts so as to allow to set two different record 
access conditions. Each record access condition is 
described using a logic expression obtained by con- 

50 necting a data item name to a condition value using a 
comparison operator (<, rs =, e, *). When a condition 
value is omitted, the condition value is given by the 
value unique to the user himself. That is, "department =" 
indicates that the user belongs to the same department. 

55 When a plurality of record access conditions are set in 
each intersection area, an AND condition is set in this 
area. For example, an intersection area "C1" (personnel 
staff, personnel department) having the item access 



5 



9 



EP 0 927 921 A2 



right group code "C" and a record access right group 
code "1 " indicates that the "user belongs to the same 
office location" but the "user is different from a person to 
be accessed (different employee No.)"- Note that no 
record access condition is set in a meaningless area 5 
such as C2 (personnel staff, general affairs depart- 
ment). Record access conditions are described in inter- 
section areas by sequentially updating the row and 
column points. When the table is completely filled, the 
set contents are transferred to and stored and managed w 
in the record access right management file RMF (step 
C7). 

[0030] FIG. 1 7B shows the data structure of the record 
access right management file RMF. Table setting infor- 
mation in FIG. 1 6 is stored and managed in the data for- is 
mat shown in FIG. 17B. In this case, the data format is 
FILE = file name, access right code; condition item 
name: condition; condition item name: condition; .... 
Note that the access right code is a combination of an 
item access right group code and a code access right 20 
group code. 

[0031 ] The flow advances to step A3 in FIG. 8 to per- 
form user access right automatic setting processing. 
[0032] FIG. 1 1 is a flow chart showing this automatic 
setting processing. 2s 
[0033] The following initialization is performed. An [ 
register for accessing the login management informa- 
tion file LMF is cleared, and at the same time, all the 
contents of the user access right management file UMF 
are cleared (step D1). "1" is added to the i register to 30 
update its value (step D2). The login management infor- 
mation file LMF is accessed using the value of this i reg- 
ister to read out the rth record. The "login ID" is 
extracted from the rth record to set it in a register X1 
(step D3). In this case, in the example shown in FIG. 4, 35 
the login ID "tuzaki" of the first record is set in the regis- 
ter X1 . The value of the item name "user No." defined in 
"Login" of the login management information linking def- 
inition file LLF is defined as retrieval data in place of the 
login ID of the first record (step D4). The database file 40 
"employee information file DB" is specified as a retrieval 
target file on the basis of the DB name "employee infor- 
mation, personnel" and the file name defined in "File" of 
the login management information linking definition file 
LLF (step D5). The corresponding file is retrieved using 45 
as the database file retrieval target item the item name 
"employee No." defined in "Field" of the login manage- 
ment information linking definition file LLF and as a 
retrieval key the retrieval data specified in step D4, 
thereby defining the retrieved record as a linking target so 
(step D6). That is, in the examples of FIGS. 3A1 to 3C2 
and 4, "user No. = 10265" is compared with the 
employee No. of the employee information file, and the 
record of tuzaki O O represented by employee No. = 
1 0265 as the linking target. ss 
[0034] Of all the items constituting the record of the 
linking target, the contents of an item of the item name 
"post" defined in "Field" of the item access right auto- 



matic generation definition file FGF is taken into consid- 
eration. When this coincides with one of the item 
contents "department manager", "section manager", ... 
defined in "CodeN" of the item access right automatic 
generation definition file FGF, the coincident user group 
code is set in a register X2 (step D7). In this case, in the 
record of tuzaki O O. h 'S post is the department man- 
ager, and "A" is set as the user group code in the regis- 
ter X2. Of all the items constituting the linking target 
record, the content of the item name "department" 
defined in "Field" of the record access right automatic 
generation definition file RGF is taken into considera- 
tion. When this coincides with one of the item contents, 
i.e., "personnel department", "general affairs depart- 
ment" the coincident user group code is set in a reg- 
ister X3 (step D8). In this case, in the record of tuzaki 
O O- his department is the personnel department, 
and "1" is set as the user group code in the register X3. 
The data in the registers X1 , X2, and X3 are combined 
to prepare a record having a data structure of X1 = 
X2X3. This record is written in the user access right 
management file UMF (step D9). In this case, the record 
of tuzaki = A1 is written as the start record of the user 
access right management file UMF (see FIG. 6A). The 
user name is represented by the login ID, and the 
access right group is the combination of the item access 
right group code and the record access right group 
code. In this case, "tuzaki" has an access right such that 
his item access right group is the department manager, 
and his record access right group is the personnel 
department. To repeat the above operation up to the 
final record of the login management information file 
LMF, the flow returns to step D2 until it is detected that 
the current record exceeds the final record in step D10. 
[0035] When settings in the item access right man- 
agement file FMF, the record access right management 
file RMF, and the user access right management file 
UMF are complete, the flow advances to step A4 in FIG. 
8 to perform access right setting processing. 
[0036] FIG. 1 2 is a flow chart showing this setting 
processing. Access optimization processing is per- 
formed first (step E1). This optimization processing is 
performed in accordance with a flow chart in FIG. 13. 
More specifically, the contents of the record access right 
management file RMF are read out (step F1). Record 
access conditions of rows whose item access rights of 
the access right codes of files are the same are com- 
pared with each other. Access right codes having the 
same condition are classified as a group (step F2). The 
access right codes set in the record access right man- 
agement files RMF are combinations of item access 

rights and record access rights, such as A1 . B1 , A2 

For example, record access conditions made to corre- 
spond to the access right codes of the rows having the 
same item access right, such as A1, A2. and A3 are 
compared with each other. As shown in FIG. 16, the 
conditions of codes A2 and A3 are the same, i.e., 
"department =", and the conditions of codes B2 and B3 
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are the same, i.e., "section =". Access right codes A2 
land A3 or access right codes B2 and B3 are classified 
into the same group. The access right codes of all the 
files which belong to the same groups are set into a 
group "group =". The group is transferred to the optimi- 
zation access right management file OPF (step F3). 
[0037] FIG. 1 8B shows the data structure of the opti- 
mization access right management file OPF. The con- 
tents of the record access right management file RMF 
shown in FIG. 17B are optimized and recorded and 
managed in a data format shown in FIG. 18B. In this 
case, the data format is group = group name: access 
right group code; access right group code; file name: 
condition item name; condition: condition item name: 

condition This group name is added to the group 

obtained in access right optimization processing and is 

represented by A-1, A-2, B-1. B-2 In FIG. 18B. 

"employee XX" represents a file name different from the 
employee information file. 

[0038] When this access right optimization processing 
is complete, the flow advances to step E2 in FIG. 12 to 
determine the specifications of the access right in 
accordance with a combination of the optimization 
access right management file OFF and the item access 
right management file FMF. The specifications here 
means how the view and schema on the relational data- 
base management system RDBMS side are set. That 
is, the schema is an optimal group name (e.g., A-1 or B- 
1), and the group and schema are defined in a 1 : 1 cor- 
respondence. An item access right defined in the item 
access right management file FMF and a view for man- 
aging an access right in units of files in accordance with 
a record access right defined in the optimization access 
right management file OPF are defined in each schema. 
A synonym is defined for a file given all authorities. 
[0039] A SQL statement for designating generation of 
a VIEW table for the relational database management 
system RDBMS is prepared on the basis of the access 
right specifications determined as described above 
(step E3). The automatically prepared SQL statement is 
set in the database DB through the relational database 
management system RDBMS (step E4). The user DB 
access right file UAF is prepared on the basis of the 
contents of the optimization access right management 
file OPF and the user access right management file 
UMF (step E5). That is, the user DB access right file 
UAF used to convert the login name input in data 
access into the login name (optimized group name) of 
the database DB is prepared on the basis of the con- 
tents of the optimal access right management OPF and 
the user access right management file UMF. The pre- 
pared user DB access right file UAF is set in the data- 
base DB. FIG. 18A shows the data structure of the user 
access right management file UMF, and FIG. 18C 
shows the data structure of the user DB access right file 
UAF. 

[0040] As described above, operation of accessing the 
database DB in accordance with the set contents of the 



access right upon completion of access right setting as 
described above will be described with reference to a 
flowchart in FIG. 14. 

[0041] When the login name of a user who requested 

5 an access is input to the system, the user DB access 
right file UAF is retrieved on the basis of the input login 
name. The input login name is converted into the login 
name of the employee information file DB (step G1 ). For 
example, when luzaki" is input, this login name is con- 

w verted into "A-1". Access processing is requested to the 
relational database management system RDBMS using 
the converted login name (step G2). 
[0042] On the relational database management sys- 
tem RDBMS side, the SQL statement from the applica- 

is tion program AP is analyzed, and a VIEW table is 
generated, stored, and managed. Upon receiving the 
access request, the VIEW table of this login name is 
analyzed to designate an access target file. At the same 
time, items and records permitted to be accessed are 

so retrieved, and the retrieval result is output. In this case, 
information of items and records not permitted to be 
accessed is transmitted to the host application execu- 
tion control. 

[0043] When the access disabled state is detected 
25 from the relational database management system 
RDBMS (step G3). post-processing such as 'insertion, 
blank insertion, and non-display is performed by appli- 
cation execution control for the items and records which 
are set in access disabled state (step G4), The ftow 
30 advances to data display processing (step G5) No 
access disabled state is detected, the flow directly 
advances to data display processing (step G5). 
[0044] The retrieval operation has been exemplified 
In write processing, RDBMS and application execution 
35 control perform appropriate processing for a request tor 
processing the items and records which are set in the 
access disabled state. 

[0045] The contents of the employee information file 
(FIG. 5) accessible by the user as a regular employee 

40 are shown in FIG. 1 9. The case in FIG. 1 9 indicates that 
a record access right is not set, but only an item access 
right is set. That is. assume that whether item access is 
permitted is described in correspondence with the item 
access right group (regular employee) in units of data 

45 items of the employee information file, as shown in FIG. 
15. In this case, access to the data items "qualification", 
"efficiency rating", "salary", "age", "reward and punish- 
ment", and "application for personnel changes" is inhib- 
ited due to confidentiality. The corresponding item areas 

so are displayed while being embedded with asterisks. For 
example, the contents of the employee information file 
to which the general affairs department manager can 
access are shown in FIG. 20. Assume that retrieval con- 
dition items and their condition values are described in 

55 the table of FIG. 16 in correspondence with the item 
access right group (department manager) and the 
record access right group (general affairs department). 
In this case, only the records of the department to which 
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the user belongs are accessed and displayed in a list, 
but records belonging to other departments are not dis- 
played. The department manager is allowed to access 
all the items. For example, the contents of the employee 
information file which can be accessed by a regular 5 
employee in the general affairs department are shown 
in FIG. 21. The retrieval condition items and their condi- 
tion values described in correspondence with the item 
access right group (regular employee) and the record 
access right group (general affairs department) are w 
shown as "section =", and "post s", as shown in FIG. 16. 
Whether the data items and records are permitted to 
access is set in accordance with the AND condition of 
the above items. Therefore, the record of a person 
whose post is lower than the user and who belongs to w 
the same section as the user can be accessed. The 
item areas whose access is disabled are embedded 
with asterisks. 

[0046] As described above, according to the data 
access control apparatus, information from the login 20 
management information file LMF and the employee 
information file DB is read out on the basis of the defini- 
tion information from the login management information 
linking definition file LLF, the item access right auto- 
matic generation definition file FGF, and the record 25 
access right automatic generation definition file RGF to 
automatic set the user access right management file 
UMF. The contents of the user access right manage- 
ment file UMF need not be input and set for each user. 
That is, when an operator wants to set the contents of 30 
the user access right management file UMF in accord- 
ance with the contents of the employee information file 
DB containing information of a large number of users, it 
takes a long period of time to input information. At the 
same time, the input depends on the power of attention 35 
of the operator, and input errors readily occur. However, 
since the user access right management file UMF is 
automatically set, the load on the operator can be 
reduced, and reliable settings are achieved. In addition, 
the consistency between the employee information file <to 
DB and the user access right management file UMF can 
be assured. When the contents of the employee infor- 
mation file DB is changed, the set contents of the user 
access right management file UMF can automatically 
change. 4S 
[0047] In setting an access right in accordance with a 
user attribute, a description based on settings using the 
database language can be omitted, and a general busi- 
ness operator having no special knowledge can easily 
set and change the access right. At the same time, an so 
access right is not described in an application itself, and 
access right information separately managed is ana- 
lyzed to perform access right control. Therefore, secu- 
rity can be maintained even in an open environment. 
[0048] In the embodiment described above, as shown 55 
in FIG. 6A, an item access right group code is combined 
with a record access right group code in correspond- 
ence with a login ID. However, only an item access right 
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group code, as shown in FIG. 6B, or only a record 
access right group code, as shown in FIG. 6C, may be 
set in a user access right management file UMF. 
[0049] If access right setting control such as a read, 
write, record insertion, and record delete is allowed, 
finer access right control can be performed. The above 
embodiment employs the relational database manage- 
ment system RDBMS, the degree of freedom in access 
right control can be expanded under the control of an 
upper DB application layer (DB use application). 
[0050] The present invention allows to set and control 
an access right for linking a plurality of f iles present in a 
database. In addition, an access right can be set and 
controlled by selecting one or a plurality of files in the 
database. The target range of setting access rights can 
be greatly enlarged. 

Claims 

1 . A data access control apparatus for limiting access 
to data on the basis of a user attribute in accessing 
the data in a database having a plurality of records 
each constituted by a plurality of data items charac- 
terized by comprising: 

user information storage means (3) for storing 
at least a data item representing identification 
information unique to a user and a data item 
representing a user attribute in correspond- 
ence with a plurality of users; 
definition means (FGF. RGF, LLF) for defining a 
user group corresponding to contents of the 
data item representing the user attribute; 
generation means (M2) for generating user 
group information representing that a user 
group is made to correspond to each user; 
access right information storage means (UMF, 
FMF, RMF, UAF) for storing access right infor- 
mation in correspondence with the user group, 
the access right information representing 
whether access to the data in the database is 
allowed; and 

access control means (M1) for, when an arbi- 
trary user is designated in accessing the data- 
base, determining a user group, to which the 
arbitrary user belongs, with reference to the 
user group information generated by said gen- 
eration means, and determining on the basis of 
the access right information made to corre- 
spond to the determined user group whether 
access to the data in the database is allowed. 

2. An apparatus according to claim 1 , characterized in 
that said definition means (FGF) defines a user 
group corresponding to a user post. 

3. An apparatus according to claim 1 , characterized in 
that said definition means (RGF) defines a user 
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group corresponding to a department to which a 




4. An apparatus according to claim 1 . characterized in 
that said access right information storage means 5 
(FMF) stores item access right information repre- 
senting an access enabled/disabled state of data 
for each item constituting the data. 



storage means is changed. 

11. An apparatus according to claim 1. characterized 
by further comprising language generation means 
(step E2) for generating a predetermined database 
language for analyzing access right information 
corresponding to the user group to access the data- 
base. 



5. An apparatus according to claim 4, characterized in 10 
that said access right information storage means 
comprises item access right setting means (step 
A1) for arbitrarily setting item access right informa- 
tion representing an access enabled/disabled state 

of data for each item constituting the data in corre- is 
spondence with each user group. 

6. An apparatus according to claim 1 , characterized in 
that said access right information storage means 
(RMF) stores record access right information repre- 20 
senting an access enabled/disabled state of data 

for each record constituting the data in correspond- 
ence with each user group. 

7. An apparatus according to claim 6, characterized in 25 
that said access right information storage means 
comprises record access right setting means (step 
A2) for arbitrarily setting record access right infor- 
mation representing an access enabled/disabled 
state of data for each record constituting the data in 30 
correspondence with each user group. 

8. An apparatus according to claim 1 , characterized in 
that said access right information storage means 
(RMF) stores, in correspondence with each user 35 
group, item access right information representing 

an access enabled/disabled state of data for each 
item constituting the data and record access right 
information representing an access enabled/disa- 
bled state of data for each record constituting the 40 
data. 



12. A recording medium which records a program for 
causing a computer to realize a predetermined 
function, characterized by comprising: 

a program for realizing a function (M2) of refer- 
ring to user information storing at least a data 
item representing identification information 
unique to a user and a data item representing a 
user attribute in correspondence with a plurality 
of users, and definition information defining a 
user group corresponding to contents of the 
data item representing the user attribute, and 
of generating user group information made to 
correspond to the user group in units of users; 
and 

a program for realizing a function (M1) of, when 
an arbitrary user is designated in accessing a 
database, referring to the user group informa- 
tion to determine a user group to which the 
arbitrary user belongs, and determining an 
access enabled/disabled state of data in the 
database on the basis of the access right infor- 
mation representing the access enabled/disa- 
bled state of the data in the database and 
made to correspond to the determined user 
group. 

13. A data access control apparatus for limiting access 
to data on the basis of a user attribute in accessing 
the data in a database having a plurality of records 
each constituted by a plurality of data items charac- 
terized by comprising: 



9. An apparatus according to claim 8, characterized in 
that said access right information storage means 
comprises access right setting means (step A3) for 45 
arbitrarily setting item access right information rep- 
resenting an access enabled/disabled state for 
each item constituting the data in correspondence 
with each user group and record access right infor- 
mation representing an access enabled/disabled so 
state of the data for each record constituting the 
data in correspondence with each user group. 

1 0. An apparatus according to claim 1 , characterized in 
that said generation means (M2) generates user 55 
group information which makes a user group corre- 
spond to each user when a data item representing 

a user attribute and stored in said user information 



user information storage means (3) for storing 
at least a data item representing identification 
information unique to a user and a data item 
representing a user attribute in correspond- 
ence with a plurality of users; 
first definition means (FGF) for defining a user 
group corresponding to contents of the data 
item representing the user attribute; 
second definition means (LLF) for defining a 
relationship between the identification informa- 
tion unique to the user and login information 
input and designated in accessing data in the 
database; 

generation means (M2) for generating user 
group information which makes the login infor- 
mation correspond to the user group in units of 
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users; 

access right information storage means (UMF, 
FMF, RMF, UAF) for storing access right infor- 
mation representing an access enabled/disa- 
bled state of data in the database in 5 
correspondence with a user group; and 
access control means (M1) for, when arbitrary 
login information is input in accessing the data- 
base, referring to user group information gen- 
erated by said generation means to determine io 
a user group to which the user belongs, and 
determining the access enabled/disabled 
state of the data in the database on the basis of 
the access right information made to corre- 
spond to the determined user group. 15 

14. An apparatus according to claim 13, characterized 
in that said first definition means (FGF) defines a 
user group corresponding to a user post. 

20 

15. An apparatus according to claim 13, characterized 
in that said first definition means (FGF) defines a 
user group corresponding to a department to which 
a user belongs. 

25 

16. An apparatus according to claim 13, characterized 
in that said access right information storage means 
(FMF) stores item access right information repre- 
senting an access enabled/disabled state of data 

for each item constituting the data. so 

17. An apparatus according to claim 16, characterized 
in that said access right information storage means 
comprises item access right setting means (step 
A1) for arbitrarily setting item access right informa- 35 
tion representing an access enabled/disabled state 

of data for each item constituting the data in corre- 
spondence with each user group. 

18. An apparatus according to claim 13, characterized 40 
in that said access right information storage means 
(RMF) stores record access right information repre- 
senting an access enabled/disabled state of data 

for each record constituting the data in correspond- 
ence with each user group. 45 

19. An apparatus according to claim 18, characterized 
in that said access right information storage means 
comprises record access right setting means (step 
A2) for arbitrarily setting record access right infor- so 
mation representing an access enabled/disabled 
state of data for each record constituting the data in 
correspondence with each user group. 

20. An apparatus according to claim 13. characterized 55 
in that said access right information storage means 
(RMF) stores, in correspondence with each user 
group, item access right information representing 
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an access enabled/disabled state of data for each 
item constituting the data and record access right 
information representing an access enabled/disa- 
bled state of data for each record constituting the 
data. 

21. An apparatus according to claim 20, characterized 
in that said access right information storage means 
comprises access right setting means (step A3) for 
arbitrarily setting item access right information rep- 
resenting an access enabled/disabled state for 
each item constituting the data in correspondence 
with each user group and record access right infor- 
mation representing an access enabled/disabled 
state of the data for each record constituting the 
data in correspondence with each user group. 

22. An apparatus according to claim 13, characterized 
in that said generation means (M2) generates user 
group information which makes a user group corre- 
spond to each user when a data item representing 
a user attribute is changed. 

23. An apparatus according to claim 13. characterized 
by further comprising language generation means 
(step E3) for generating a predetermined database 
language for analyzing access right information 
corresponding to the user group to access the data- 
base. 

24. A recording medium which records a program for 
causing a computer to realize a predetermined 
function, characterized by comprising: 

a program for realizing a function (M2) of refer- 
ring to user information storing at least a data 
item representing identification information 
unique to a user and a data item representing a 
user attribute in correspondence with a plurality 
of users, definition information defining a user 
group corresponding to contents of the data 
item representing the user attribute, and defini- 
tion information defining a relationship between 
the identification information unique to the user 
and login information input and designated in 
accessing data in the database and of generat- 
ing user group information which makes the 
login information correspond to the user group 
in units of users; and 

a program for realizing a function (M1) of, when 
arbitrary login information is designated in 
accessing a database, referring to the user 
group information to determine a user group to 
which the user belongs, and determining an 
access enabled/disabled state of data in the 
database on the basis of the access right infor- 
mation representing the access enabled/disa- 
bled state of the data in the database and 
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made to correspond to the determined user 
group and the user access right information 
stored in correspondence with the determined 
user group. 
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(54) Data access control apparatus for limiting data access in accordance with user attribute 

(57) This invention provides a data access control 
apparatus arranged to automatically set access right 
information limiting data access, in accordance with a 
user attribute when a user accesses a database. In set- 
ting, for a plurality of users, access right information cor- 
responding to each user, the load on an operator can be 
reduced, and access right information setting errors can 
be prevented. An automatic setting unit (M2) reads out 
information from a login management information file 
(LMF) and an employee information file (DB) on the 
basis of definition information of a definition files (LLF, 
FGF, RGF) to automatically generate a user access 
right management file (UMF) which stores a login ID, an 
item access right, and a record access right group code 
for each user. When a login ID is input in accessing the 
employee information file (DB), a setting controller (M1) 
refers to the management file (UMF) to determine a 
user group to which the user belongs and an access 
enabled/disabled state of the data on the basis of the 
access right made to correspond to this user group. 
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